CVE-2026-27899

{"id": "CVE-2026-27899", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-26T02:16:20.557", "references": [{"url": "https://github.com/h44z/wg-portal/security/advisories/GHSA-5rmx-256w-8mj9", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-863"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "WireGuard Portal (or wg-portal) is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with `\"IsAdmin\": true` in the JSON body. After logging out and back in, the session picks up admin privileges from the database. When a user updates their own profile, the server parses the full JSON body into the user model, including the `IsAdmin` boolean field. A function responsible for preserving calculated or protected attributes pins certain fields to their database values (such as base model data, linked peer count, and authentication data), but it does not do this for `IsAdmin`. As a result, whatever value the client sends for `IsAdmin` is written directly to the database. After the exploit, the attacker has full admin access to the WireGuard VPN management portal. The problem was fixed in v2.1.3. The docker images for the tag 'latest' built from the master branch also include the fix."}, {"lang": "es", "value": "WireGuard Portal (o wg-portal) es un portal de configuraci\u00f3n basado en web para la gesti\u00f3n de servidores WireGuard. Antes de la versi\u00f3n 2.1.3, cualquier usuario autenticado no administrador puede convertirse en un administrador completo enviando una \u00fanica solicitud PUT a su propio endpoint de perfil de usuario con 'IsAdmin': true en el cuerpo JSON. Despu\u00e9s de cerrar y volver a iniciar sesi\u00f3n, la sesi\u00f3n adquiere privilegios de administrador de la base de datos. Cuando un usuario actualiza su propio perfil, el servidor analiza el cuerpo JSON completo en el modelo de usuario, incluyendo el campo booleano IsAdmin. Una funci\u00f3n responsable de preservar atributos calculados o protegidos fija ciertos campos a sus valores de base de datos (como datos del modelo base, recuento de pares vinculados y datos de autenticaci\u00f3n), pero no lo hace para IsAdmin. Como resultado, cualquier valor que el cliente env\u00ede para IsAdmin se escribe directamente en la base de datos. Despu\u00e9s del exploit, el atacante tiene acceso de administrador completo al portal de gesti\u00f3n de VPN de WireGuard. El problema se solucion\u00f3 en la v2.1.3. Las im\u00e1genes de docker para la etiqueta 'latest' construidas desde la rama master tambi\u00e9n incluyen la soluci\u00f3n."}], "lastModified": "2026-03-02T18:52:39.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wgportal:wireguard_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBB8589E-9B73-45D5-A26F-84E7A69EE57B", "versionEndExcluding": "2.1.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}